Workaround problems with hardened runtime, needed for notarization #259
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will allow us to customise the flags in a later patch. Signed-off-by: David Scott <[email protected]>
src/lib/vmm/vmm_mem.c
Outdated
|
|
||
| int | ||
| vmm_mem_init(void) | ||
| { | ||
| if (vmm_get_kern_osrelease() >= OSRELEASE_MOJAVE) { | ||
| fprintf(stderr, "Detected Mojave or later, will use MAP_JIT\n"); |
There was a problem hiding this comment.
I would log on the pre Mojave case, as thats the "buggy" case
|
This seems reasonable to me. Have you tested that it works with this? |
The VM requires writeable + executable memory which is blocked when the "hardened runtime" is enabled at the codesigning stage. If we pass the `MAP_JIT` flag then we can add the capability com.apple.security.cs.allow-jit [1] to permit the allocation. The alternative is to globally enable write+execute for all allocations in the process which seems worse [2] [1] https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-jit [2] https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-unsigned-executable-memory Signed-off-by: David Scott <[email protected]>
|
FWIW alternatively one can use the following entitlement: <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>This is working for us in Multipass for a while now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On macOS 10.15 Catalina and later applications need to be Notarized where notarization is an Apple malware- and security-check of the released binaries.
As part of the notarization process, Apple require that hardened runtime is enabled. This prevents
Currently
hyperkitusesvallocto allocate memory for the VM and then grants the VMREAD,WRITEandEXECUTE, which will fail if the hardened runtime is enabled.One workaround is to grant the
hyperkitbinary the Allow Unsigned Executable Memory Entitlement which disables the writable+executable check for all allocations done by the process.This patch proposes another workaround, which is to switch from using
valloctommapwith the special flagMAP_JIT. This allows us to use the weaker Allow Execution of JIT-compiled Code entitlement, so that only the VM memory allocation is writable+executable, other allocations are not.Note that, according to the mono project mono/mono@a502768 the
MAP_JITflag causes problems with older version of macOS, so they recommend only enabling it for Mojave and later.Note that enabling the hardened runtime and adding entitlements is done at the
codesignstage which means we can't easily test this from the current CI as the binaries are unsigned.